Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
A glance at the headlines reveals that data privacy breaches are increasingly common, and the consequences to corporations ' in terms of reputational damage, potential liability and costs to remedy ' are increasingly dire.
To avoid those consequences, any corporate entity that collects, uses or transfers personal information must take steps to ensure it is complying with legal requirements for maintaining data privacy and ' equally important ' living up to the trust of its employees, customers, partners and suppliers.
How can that be done?
A privacy audit provides a means of benchmarking corporate privacy practices against what the law requires and what industry best practices demand.
So what exactly does a privacy audit entail?
As explained below, it need not be a daunting or expensive undertaking. With the proper tools, support from corporate management, a motivated audit team and a few guidelines, a privacy audit can be conducted using primarily internal resources and with little or no business disruption. If performed properly, a privacy audit will result in a clear understanding of an organization's personal data flows and a comprehensive information security/privacy program that will protect personal data from unlawful collection, handling and disclosure.
Types of Privacy Audits
Broadly speaking, there are two types of privacy audits: an “adequacy” audit and a “compliance” audit.
Adequacy Audit
An adequacy audit is aimed at: 1) determining whether an organization's data privacy policies are adequate to address the requirements of all applicable data protection laws and regulations, domestic and international; and 2) making sure they apply to all data processing that an organization actually conducts.
This type of audit involves not only a review of all company policies, procedures, codes of practice and guidelines that affect the handling of personal data within the company and in dealing with third parties such as vendors and suppliers, but also requires an understanding and mapping of data flows across the enterprise.
An adequacy audit may well reveal serious gaps in an organization's data privacy policies, given the types of personal data being handled and the ways it is being stored, transferred and otherwise processed. In that case, while an organization could proceed right away with conducting a compliance audit, the better practice, in my view, is to first remedy the policies and procedures found wanting before continuing to the compliance audit.
Why?
The answer: Because the purpose of a compliance audit is to determine whether a company is hitting its targets in terms of the objectives established by its privacy program. If those targets are non-existent, or poorly placed, it will be a false victory to declare that they have been achieved.
Compliance Audit
The compliance audit sets a higher hurdle than the adequacy audit: to determine whether an organization is abiding by the policies and procedures identified during (and perhaps improved as a result of) the adequacy audit. It requires an investigation of how personal data is handled in practice within the various business units, across departments and when dealing with third parties.
A comprehensive compliance audit should also examine such factors as whether the organization offers data privacy compliance training, how data privacy policies are disseminated to employees and how complaints of policy violations are handled. The depth of the compliance audit will depend on perceived risks to the enterprise of violations and data breaches.
Tools for a Privacy Audit
Two essential tools are part of a privacy audit toolkit: 1) questionnaires and follow-up interviews aimed at mapping data flows and processing; and 2) a data privacy table or matrix that allows the tabulation of the results of the audit.
Questionnaires and Interviews
For the adequacy audit and the compliance audit, drafting a questionnaire to be completed by the various business units that handle personal data is a critical step. The questionnaire should seek answers to questions such as the following:
Answers to the questionnaire should be collected from each of the business units that may handle personal data ' typically including human resources, information technology, marketing and customer sales/support. Each of the department heads should be required to ensure that the questionnaire is completed fully and accurately.
(Editor's note: For more on this topic, see, “Litigation Support for Information Governance Protection of Personal Identifiable Information Is Not a Matter to Be Taken Lightly ' Make a Plan,” in the May 2012 edition of e-Commerce Law & Strategy, at http://bit.ly/PJtOuL, and for more on European Union standards, see, “New European Data Protection Regulation Draft,” in the April 2012 edition of e-Commerce Law & Strategy, http://bit.ly/HVkiAS.)
Following Up
Inevitably, responses to the questionnaire will raise additional questions, which is where the follow-up interview comes in. Personal interviews with executives and employees responsible for handling personal data within an organization allow for a deeper dive into the whys and hows of personal data processing. For example, the questionnaire may reveal that the human resources department is retaining employee information for years after an employee has left the company, but cannot explain the rationale for such retention. Well, the rationale can be explored during a follow-up interview.
The importance of the questionnaire and follow-up interview in determining compliance with data privacy policies should be obvious, but the responses are equally important in determining the adequacy of the policies themselves. Too many companies put privacy policies in place with only a dim understanding of how applicable they are to actual enterprise data flows. The questionnaire/interview responses should be geared toward making sure there is alignment between policies, and actual personal data collection and handling.
Privacy Adequacy and Compliance Matrix
The other essential privacy audit tool is a matrix that organizes the results of the audit questionnaire, and the review of an organization's privacy policies and procedures. The format for this matrix I have found most useful is a table with the following headings:
In deciding what privacy principles should be achieved, an organization need not start from scratch. There are a number of templates that can be reviewed and borrowed from. I have found the privacy risk assessment tool developed jointly by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants, based on generally accepted privacy principles, to be especially helpful for this purpose. In the European Union, some national data protection authorities have issued their own auditing guidelines. For instance, the Netherlands has published a privacy audit framework to guide the auditing process.
While an audit report should also contain a narrative of audit results and conclusions, the adequacy/compliance matrix provides a
convenient method for compiling the results of the privacy audit in easily understandable form and for ready reference. Equally important, the matrix allows for ready apples-to-apples benchmarking of an organization's progress in satisfying relevant data privacy requirements from year to year.
Procedures
Assembling an Audit Team
A threshold question when preparing for a privacy audit is whether the audit will be conducted internally, by an outside audit team, or using some mixture of internal and external resources.
Several advantages of conducting a privacy audit using existing corporate resources can be easily identified, including the internal audit team, if there is one:
A few disadvantages of using an internal audit team should be noted, however:
In my opinion, the solution that best combines audit depth and comprehensiveness with cost-efficiency is an in-house audit team (including representatives from legal, finance, HR, IT and marketing) under the guidance of an outside privacy audit professional. That way, an organization reaps the advantages of internal institutional knowledge along with the objectivity and experience of someone with privacy audit experience.
Setting the Tone at the Top
Once a decision is made of who will compose an audit team, and an audit start date is agreed on, it is important to consider the “messaging” of the audit undertaking. As with all corporate legal compliance initiatives, the so-called tone at the top is critical.
One tried-and-true strategy is for the CEO to distribute a memorandum describing why a privacy audit is being conducted, who will be leading the effort and what participation will be required from business units. A memorandum with the CEO's imprimatur will help overcome any reluctance of staff to set aside their usual duties to support the audit. If appropriate, the memorandum should note that the board of directors is fully behind the audit.
The Aftermath
Once the privacy audit is completed, an audit report should be prepared. The audit report will include the privacy adequacy and compliance matrix discussed earlier in this article, and which will incorporate the results of the questionnaire and follow-up interviews, as well as the review of the organization's policies and procedures. The audit report should also include a narrative that addresses such factors as:
For purposes of closing any gaps in existing organization policies and procedures, one option would be to create a new information security/data privacy program. There may be merit to such an approach, depending on how up-to-date existing policies are and how much the organization's data processing activities have changed since the policies were put in place.
However, the organization may also find that it already has many elements necessary for a robust, up-to-date data protection program ' an acceptable use policy here, an online privacy policy there ' and can knit these disparate pieces together into a comprehensive program that requires only filling in a few gaps. Related policies can be grouped under an umbrella policy that functions as a data privacy mission statement. What is crucial is that the audit report be the basis for action, whether that action is drafting or revising privacy policies, or taking steps to ensure compliance with policies already in place.
Conclusion
In the data privacy sphere, as in e-commerce, the one constant is change. Privacy issues are getting increasingly high priority on political and social agendas as the ease with which personal data can be collected, stored, marketed and transferred globally has expanded, and the term big data has entered the vocabulary and the vernacular. One consequence has been more stringent data protection requirements and more draconian penalties for violations ' witness the European Union's proposal to impose penalties for violating the EU Data Protection Directive of up to 2% of a company's global annual turnover.
In this environment, the protection of personal data is paramount. Conducting a data privacy audit allows a real-time assessment of how well an organization is living up to its data protection legal obligations as well as how well it is meeting the expectations of its customers, its employees and others. Such an audit simply makes good business sense and need not drain corporate resources, financial or otherwise.
A glance at the headlines reveals that data privacy breaches are increasingly common, and the consequences to corporations ' in terms of reputational damage, potential liability and costs to remedy ' are increasingly dire.
To avoid those consequences, any corporate entity that collects, uses or transfers personal information must take steps to ensure it is complying with legal requirements for maintaining data privacy and ' equally important ' living up to the trust of its employees, customers, partners and suppliers.
How can that be done?
A privacy audit provides a means of benchmarking corporate privacy practices against what the law requires and what industry best practices demand.
So what exactly does a privacy audit entail?
As explained below, it need not be a daunting or expensive undertaking. With the proper tools, support from corporate management, a motivated audit team and a few guidelines, a privacy audit can be conducted using primarily internal resources and with little or no business disruption. If performed properly, a privacy audit will result in a clear understanding of an organization's personal data flows and a comprehensive information security/privacy program that will protect personal data from unlawful collection, handling and disclosure.
Types of Privacy Audits
Broadly speaking, there are two types of privacy audits: an “adequacy” audit and a “compliance” audit.
Adequacy Audit
An adequacy audit is aimed at: 1) determining whether an organization's data privacy policies are adequate to address the requirements of all applicable data protection laws and regulations, domestic and international; and 2) making sure they apply to all data processing that an organization actually conducts.
This type of audit involves not only a review of all company policies, procedures, codes of practice and guidelines that affect the handling of personal data within the company and in dealing with third parties such as vendors and suppliers, but also requires an understanding and mapping of data flows across the enterprise.
An adequacy audit may well reveal serious gaps in an organization's data privacy policies, given the types of personal data being handled and the ways it is being stored, transferred and otherwise processed. In that case, while an organization could proceed right away with conducting a compliance audit, the better practice, in my view, is to first remedy the policies and procedures found wanting before continuing to the compliance audit.
Why?
The answer: Because the purpose of a compliance audit is to determine whether a company is hitting its targets in terms of the objectives established by its privacy program. If those targets are non-existent, or poorly placed, it will be a false victory to declare that they have been achieved.
Compliance Audit
The compliance audit sets a higher hurdle than the adequacy audit: to determine whether an organization is abiding by the policies and procedures identified during (and perhaps improved as a result of) the adequacy audit. It requires an investigation of how personal data is handled in practice within the various business units, across departments and when dealing with third parties.
A comprehensive compliance audit should also examine such factors as whether the organization offers data privacy compliance training, how data privacy policies are disseminated to employees and how complaints of policy violations are handled. The depth of the compliance audit will depend on perceived risks to the enterprise of violations and data breaches.
Tools for a Privacy Audit
Two essential tools are part of a privacy audit toolkit: 1) questionnaires and follow-up interviews aimed at mapping data flows and processing; and 2) a data privacy table or matrix that allows the tabulation of the results of the audit.
Questionnaires and Interviews
For the adequacy audit and the compliance audit, drafting a questionnaire to be completed by the various business units that handle personal data is a critical step. The questionnaire should seek answers to questions such as the following:
Answers to the questionnaire should be collected from each of the business units that may handle personal data ' typically including human resources, information technology, marketing and customer sales/support. Each of the department heads should be required to ensure that the questionnaire is completed fully and accurately.
(Editor's note: For more on this topic, see, “Litigation Support for Information Governance Protection of Personal Identifiable Information Is Not a Matter to Be Taken Lightly ' Make a Plan,” in the May 2012 edition of e-Commerce Law & Strategy, at http://bit.ly/PJtOuL, and for more on European Union standards, see, “New European Data Protection Regulation Draft,” in the April 2012 edition of e-Commerce Law & Strategy, http://bit.ly/HVkiAS.)
Following Up
Inevitably, responses to the questionnaire will raise additional questions, which is where the follow-up interview comes in. Personal interviews with executives and employees responsible for handling personal data within an organization allow for a deeper dive into the whys and hows of personal data processing. For example, the questionnaire may reveal that the human resources department is retaining employee information for years after an employee has left the company, but cannot explain the rationale for such retention. Well, the rationale can be explored during a follow-up interview.
The importance of the questionnaire and follow-up interview in determining compliance with data privacy policies should be obvious, but the responses are equally important in determining the adequacy of the policies themselves. Too many companies put privacy policies in place with only a dim understanding of how applicable they are to actual enterprise data flows. The questionnaire/interview responses should be geared toward making sure there is alignment between policies, and actual personal data collection and handling.
Privacy Adequacy and Compliance Matrix
The other essential privacy audit tool is a matrix that organizes the results of the audit questionnaire, and the review of an organization's privacy policies and procedures. The format for this matrix I have found most useful is a table with the following headings:
In deciding what privacy principles should be achieved, an organization need not start from scratch. There are a number of templates that can be reviewed and borrowed from. I have found the privacy risk assessment tool developed jointly by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants, based on generally accepted privacy principles, to be especially helpful for this purpose. In the European Union, some national data protection authorities have issued their own auditing guidelines. For instance, the
While an audit report should also contain a narrative of audit results and conclusions, the adequacy/compliance matrix provides a
convenient method for compiling the results of the privacy audit in easily understandable form and for ready reference. Equally important, the matrix allows for ready apples-to-apples benchmarking of an organization's progress in satisfying relevant data privacy requirements from year to year.
Procedures
Assembling an Audit Team
A threshold question when preparing for a privacy audit is whether the audit will be conducted internally, by an outside audit team, or using some mixture of internal and external resources.
Several advantages of conducting a privacy audit using existing corporate resources can be easily identified, including the internal audit team, if there is one:
A few disadvantages of using an internal audit team should be noted, however:
In my opinion, the solution that best combines audit depth and comprehensiveness with cost-efficiency is an in-house audit team (including representatives from legal, finance, HR, IT and marketing) under the guidance of an outside privacy audit professional. That way, an organization reaps the advantages of internal institutional knowledge along with the objectivity and experience of someone with privacy audit experience.
Setting the Tone at the Top
Once a decision is made of who will compose an audit team, and an audit start date is agreed on, it is important to consider the “messaging” of the audit undertaking. As with all corporate legal compliance initiatives, the so-called tone at the top is critical.
One tried-and-true strategy is for the CEO to distribute a memorandum describing why a privacy audit is being conducted, who will be leading the effort and what participation will be required from business units. A memorandum with the CEO's imprimatur will help overcome any reluctance of staff to set aside their usual duties to support the audit. If appropriate, the memorandum should note that the board of directors is fully behind the audit.
The Aftermath
Once the privacy audit is completed, an audit report should be prepared. The audit report will include the privacy adequacy and compliance matrix discussed earlier in this article, and which will incorporate the results of the questionnaire and follow-up interviews, as well as the review of the organization's policies and procedures. The audit report should also include a narrative that addresses such factors as:
For purposes of closing any gaps in existing organization policies and procedures, one option would be to create a new information security/data privacy program. There may be merit to such an approach, depending on how up-to-date existing policies are and how much the organization's data processing activities have changed since the policies were put in place.
However, the organization may also find that it already has many elements necessary for a robust, up-to-date data protection program ' an acceptable use policy here, an online privacy policy there ' and can knit these disparate pieces together into a comprehensive program that requires only filling in a few gaps. Related policies can be grouped under an umbrella policy that functions as a data privacy mission statement. What is crucial is that the audit report be the basis for action, whether that action is drafting or revising privacy policies, or taking steps to ensure compliance with policies already in place.
Conclusion
In the data privacy sphere, as in e-commerce, the one constant is change. Privacy issues are getting increasingly high priority on political and social agendas as the ease with which personal data can be collected, stored, marketed and transferred globally has expanded, and the term big data has entered the vocabulary and the vernacular. One consequence has been more stringent data protection requirements and more draconian penalties for violations ' witness the European Union's proposal to impose penalties for violating the EU Data Protection Directive of up to 2% of a company's global annual turnover.
In this environment, the protection of personal data is paramount. Conducting a data privacy audit allows a real-time assessment of how well an organization is living up to its data protection legal obligations as well as how well it is meeting the expectations of its customers, its employees and others. Such an audit simply makes good business sense and need not drain corporate resources, financial or otherwise.
What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.